Skip to content

Commit

Permalink
Fix zizmor security issues in GA (#73)
Browse files Browse the repository at this point in the history
  • Loading branch information
marvinfriede authored Dec 15, 2024
1 parent 33ae826 commit 94e18b7
Show file tree
Hide file tree
Showing 10 changed files with 55 additions and 19 deletions.
10 changes: 6 additions & 4 deletions .github/workflows/codeql.yml
Original file line number Diff line number Diff line change
Expand Up @@ -2,9 +2,9 @@ name: "CodeQL"

on:
push:
branches: [ "main" ]
branches: ["main"]
pull_request:
branches: [ "main" ]
branches: ["main"]
schedule:
- cron: "25 21 * * 5"

Expand All @@ -20,11 +20,13 @@ jobs:
strategy:
fail-fast: false
matrix:
language: [ python ]
language: [python]

steps:
- name: Checkout
uses: actions/checkout@v3
uses: actions/checkout@v4
with:
persist-credentials: false

- name: Initialize CodeQL
uses: github/codeql-action/init@v2
Expand Down
10 changes: 8 additions & 2 deletions .github/workflows/macos-arm.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -73,6 +73,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
persist-credentials: false

- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
Expand All @@ -88,7 +90,11 @@ jobs:
run: echo "TOXENV=py$(echo ${{ matrix.python-version }} | tr -d '.')-torch$(echo ${{ matrix.torch-version }} | tr -d '.')" >> $GITHUB_ENV

- name: Print TOXENV
run: echo "TOXENV is set to '${{ env.TOXENV }}'."
run: echo "TOXENV is set to '${TOXENV}'."
env:
TOXENV: ${{ env.TOXENV }}

- name: Unittests with tox
run: tox -e ${{ env.TOXENV }}
run: tox -e $TOXENV
env:
TOXENV: ${{ env.TOXENV }}
10 changes: 8 additions & 2 deletions .github/workflows/macos-x86.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -84,6 +84,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
persist-credentials: false

- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
Expand All @@ -99,7 +101,11 @@ jobs:
run: echo "TOXENV=py$(echo ${{ matrix.python-version }} | tr -d '.')-torch$(echo ${{ matrix.torch-version }} | tr -d '.')" >> $GITHUB_ENV

- name: Print TOXENV
run: echo "TOXENV is set to '${{ env.TOXENV }}'."
run: echo "TOXENV is set to '${TOXENV}'."
env:
TOXENV: ${{ env.TOXENV }}

- name: Unittests with tox
run: tox -e ${{ env.TOXENV }}
run: tox -e $TOXENV
env:
TOXENV: ${{ env.TOXENV }}
4 changes: 4 additions & 0 deletions .github/workflows/release.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -33,6 +33,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
persist-credentials: false

- name: Build wheel (bdist)
run: pipx run build --wheel
Expand All @@ -47,6 +49,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
persist-credentials: false

- name: Build source distribution (sdist)
run: pipx run build --sdist
Expand Down
12 changes: 9 additions & 3 deletions .github/workflows/ubuntu.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -90,6 +90,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
persist-credentials: false

- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
Expand All @@ -105,13 +107,17 @@ jobs:
run: echo "TOXENV=py$(echo ${{ matrix.python-version }} | tr -d '.')-torch$(echo ${{ matrix.torch-version }} | tr -d '.')" >> $GITHUB_ENV

- name: Print TOXENV
run: echo "TOXENV is set to '${{ env.TOXENV }}'."
run: echo "TOXENV is set to '${TOXENV}'."
env:
TOXENV: ${{ env.TOXENV }}

- name: Unittests with tox
run: tox -e ${{ env.TOXENV }}
run: tox -e $TOXENV
env:
TOXENV: ${{ env.TOXENV }}

- name: Upload coverage to Codecov
uses: codecov/codecov-action@v3
uses: codecov/codecov-action@7f8b4b4bde536c465e797be725718b88c5d95e0e # 5.1.1
if: >
matrix.python-version == '3.11' &&
matrix.torch-version == '2.2.2' &&
Expand Down
10 changes: 8 additions & 2 deletions .github/workflows/windows.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -82,6 +82,8 @@ jobs:
steps:
- name: Checkout code
uses: actions/checkout@v3
with:
persist-credentials: false

- name: Set up Python ${{ matrix.python-version }}
uses: actions/setup-python@v5
Expand All @@ -97,7 +99,11 @@ jobs:
run: echo "TOXENV=py$(echo ${{ matrix.python-version }} | tr -d '.')-torch$(echo ${{ matrix.torch-version }} | tr -d '.')" >> $GITHUB_ENV

- name: Print TOXENV
run: echo "TOXENV is set to '${{ env.TOXENV }}'."
run: echo "TOXENV is set to '${TOXENV}'."
env:
TOXENV: ${{ env.TOXENV }}

- name: Unittests with tox
run: tox -e ${{ env.TOXENV }}
run: tox -e $TOXENV
env:
TOXENV: ${{ env.TOXENV }}
8 changes: 6 additions & 2 deletions .pre-commit-config.yaml
Original file line number Diff line number Diff line change
Expand Up @@ -38,7 +38,7 @@ repos:
--min-py-version,
"3.8",
--max-py-version,
"3.11",
"3.12",
]

- repo: https://github.com/asottile/pyupgrade
Expand All @@ -60,10 +60,14 @@ repos:
- id: black
stages: [pre-commit]

- repo: https://github.com/woodruffw/zizmor-pre-commit
rev: v0.9.2
hooks:
- id: zizmor

- repo: https://github.com/pre-commit/mirrors-mypy
rev: v1.13.0
hooks:
- id: mypy
additional_dependencies: [types-all]
pass_filenames: false
args: [--config-file=pyproject.toml, --ignore-missing-imports, src]
4 changes: 2 additions & 2 deletions src/tad_dftd3/data/radii.py
Original file line number Diff line number Diff line change
Expand Up @@ -29,7 +29,7 @@
from tad_mctc._version import __tversion__
from tad_mctc.data.radii import COV_D3

from ..typing import Tensor
from ..typing import Any, Tensor

__all__ = ["COV_D3", "VDW_D3"]

Expand All @@ -52,7 +52,7 @@ def _load_vdw_rad_d3(
Tensor
VDW radii.
"""
kwargs: dict = {"map_location": device}
kwargs: dict[str, Any] = {"map_location": device}
if __tversion__ > (1, 12, 1): # pragma: no cover
kwargs["weights_only"] = True

Expand Down
4 changes: 3 additions & 1 deletion src/tad_dftd3/reference.py
Original file line number Diff line number Diff line change
Expand Up @@ -48,6 +48,7 @@ def _load_cn(
Tensor
Reference coordination numbers.
"""
# fmt: off
return torch.tensor(
[
[-1.0000, -1.0000, -1.0000, -1.0000, -1.0000, -1.0000, -1.0000], # None
Expand Down Expand Up @@ -158,6 +159,7 @@ def _load_cn(
device=device,
dtype=dtype,
)
# fmt: on


def _load_c6(
Expand All @@ -178,7 +180,7 @@ def _load_c6(
Tensor
Reference C6 coefficients.
"""
kwargs: dict = {"map_location": device}
kwargs: dict[str, Any] = {"map_location": device}
if __tversion__ > (1, 12, 1): # pragma: no cover
kwargs["weights_only"] = True

Expand Down
2 changes: 1 addition & 1 deletion test/test_model/test_reference.py
Original file line number Diff line number Diff line change
Expand Up @@ -15,7 +15,7 @@
"""
Test the reference.
"""
from typing import Optional
from typing import Optional, Union
from unittest.mock import patch

import pytest
Expand Down

0 comments on commit 94e18b7

Please sign in to comment.